Mavericks-based Macs in Active Directory

Discussion in 'OS X Mavericks (10.9)' started by Yebubbleman, Jul 1, 2014.

  1. Yebubbleman macrumors 68030

    Yebubbleman

    Joined:
    May 20, 2010
    Location:
    Los Angeles, CA
    #1
    Presently, I work IT for a company with around 1000 machines. We presently have no Mac in place running OS X server and we pretty much join the ~40 Macs that we do have to our Active Directory domain ending in .local.

    We've found that doing this really only buys us login credential consistency and nothing else.

    Otherwise, our Macs are consistently having issues authenticating, both at login and to shared resources. As of Mavericks, several users will now lose connection to our file servers (one of which is a NetApp NAS and the other of which is a server running Windows 2008 R2 Datacenter Edition).

    Both servers serve via SMB. I know that, as of Mavericks, OS X defaults to SMB2 when "smb://" is used. Figuring that using "cifs://" forces Mavericks to switch back to the original SMB protocol, I have invoked that and have found that my mileage hasn't changed much, if at all.

    Password resets for users is a nightmare too given that few of them pay attention to the part where they are asked to update their keychain; often resulting in broken keychains. This is not hard to resolve, but it is legitimately annoying both for us and for them.

    Furthermore, joining Macs to the Active Directory Domain is a bit of a hassle as well; certainly more than is advertised by Apple in switching material and the Mac Integration Basics certification course.

    Given that only a few users use things for which there are not Windows equivalents, I made the bold proposition to transition away from the Mac platform (not because the platform isn't great and not because we think they're bad machines but rather due to conditions that make having them around difficult for all parties involved), which my IT department approved, but was then subsequently shot down by higher-up executives.

    My research so far suggests that part of the problem is that OS X has grown decreasingly tolerant of .local AD domains since Snow Leopard and that this is a large part of the problem. Other research points me in the direction of doing something like the Golden Triangle. And other research thereafter tells me that there's really no way to improve this situation beyond segregating the platforms by network, which is also not an option. Admittedly, I'm a wiz when it comes to the Mac side of things, but get lost when it comes to the Windows Server side of things.

    Long story short, given all of this, is there anything I can do to improve the situation? My superiors are looking into a virtualized solution for OS X Server (not hosted on physically present Apple hardware); though, correct me if I'm wrong, I do not believe that's feasible. Is there any way to make the experience of managing these Macs less difficult/annoying?
     
  2. scaredpoet macrumors 604

    scaredpoet

    Joined:
    Apr 6, 2007
    #2
    Pretty much running OS X server is your best bet to smoothing things out. OS X Server can run virtualized, It's supported by VMWare, Paralells and Virtualbox and permitted under Apple's EULA.
     
  3. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #3
    ...but needs to run on Apple hardware.
     
  4. scaredpoet macrumors 604

    scaredpoet

    Joined:
    Apr 6, 2007
    #4
    Sounds likes it's time for the OP's employers to pony up a Mac mini. :)
     
  5. Chris Grande macrumors regular

    Chris Grande

    Joined:
    Jun 17, 2003
    #5
    I have around 200 around machines humming along on AD since back in the 10.2 days. Any large issues I had fell into the camps of:
    1.) Time issues, a 5 minute drift will cause Kerberos to fail.
    2.) DNS being wrong, forward/reverse not matching.

    For joining I recommend writing a script (look at dsconfigad) or moving to a Deployment solution, DeployStudio for example which has built in tasks for binding. dsconfigad also has more settings which might help in your environment.

    Management these days can be don't with Profiles, you could run Profile Manager on a single client, download and the deploy the profiles with a other tool, for example Munki. This if you can't get an actual Mac Server in house to run Profile Manager on.
     
  6. Yebubbleman thread starter macrumors 68030

    Yebubbleman

    Joined:
    May 20, 2010
    Location:
    Los Angeles, CA
    #6
    It looks like I am being given the green light to set up a Mac Pro (Quad-Core, Mid 2010) as a server in one of our two buildings and an iMac (21.5-inch, Mid 2011) in the other and when we consolidate both buildings into one location next year, the iMac will go away in favor of the Mac Pro. This being said; does anyone have any advice as to how to proceed? I'm rolling with the assumption that the best course of action to make sure that everything is purring along happily is to bind the Mac Pro to Active Directory and then set it up as an Open Directory Master (that gets its data from Active Directory) a la "The Golden Triangle" and then set the iMac up as an Open Directory Replica of the master and then (shudder) re-bind all of our macs to their respective OD servers.

    Is there anything that sounds immediately stupid about this idea? Does anyone have any suggestions? Please, any criticism/advice is welcome!
     
  7. satcomer, Jul 23, 2014
    Last edited: Aug 19, 2014

    satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #7
    I had a friend that had some NAS issues with Time Machine in his small business. I then pointed hime to the blog post Configuring OS X Mountain Lion Time Machine to Work With CIFS (SMB) Share don't work in it also works in 10.8 & 10.9). He said this worked on his Active Directory NAS device. This part might help in backing in up to the company's NAS devices.
     
  8. Yebubbleman thread starter macrumors 68030

    Yebubbleman

    Joined:
    May 20, 2010
    Location:
    Los Angeles, CA
    #8
    I appreciate the effort here and thank you for it, but I don't think that's entirely relevant; plus 10.9 uses SMB2 which appears to be at the root of a lot of problems that we are now having that we didn't have in 10.8.
     
  9. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #9
    In 10.9+ some user have reported if they use the string (instead of smb) cifs:// instead of smb://. Try it to see if it works for you.
     
  10. Yebubbleman thread starter macrumors 68030

    Yebubbleman

    Joined:
    May 20, 2010
    Location:
    Los Angeles, CA
    #10
    It helps, but only so much. The problem still persists.
     

Share This Page